Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Can't manage Chassis Cluster (High Availability)

0

0

Article ID: KB21113 KB Last Updated: 04 Mar 2017Version: 5.0
Summary:

How to troubleshoot management issues with the nodes built in a Chassis Cluster.

This troubleshooting flow is part of the Resolution Guide -- SRX Chassis Cluster (High Availability).
Symptoms:

To be able to manage the SRX Chassis Cluster through the management/revenue ports or by using NSM or other management devices.


Cause:

Solution:

Perform the following steps:

step1  Are you trying to manage the Chassis Cluster using NSM?


step2  Which port are you using to manage the device?

  • Cluster Management port (FXP0) - Continue to Step 3
  • One of the revenue ports:

    Note:  Only the primary node can be managed using the revenue port.  A revenue port is used for traffic processing.

    SRX requires separate links for the Control and Datalink (Fabric link on SRX) as separate connections are required to the control and dataplane. Any available revenue port is used for the Datalink port.

    For configuration assistance on management through a revenue port, refer to KB16647 - SRX Getting Started - Configure Management Access. Keep in mind that the article provides configuration guidelines for managing a stand-alone device; however, the configuration remains the same. Also check Step 6 for confirming that SSH/Telnet/HTTP is enabled on the revenue port used for managing the device.

step3  Which Chassis Cluster node are you having trouble managing? 

  • Primary    -  Continue to Step 4
  • Secondary   -  Jump to Step 11
  • Both Primary & Secondary  - Continue to Step 4

step4  Which method are you using to manage the device?

  • J-Web  -  Continue to Step 5
  • SSH/Telnet - Jump to Step 6

step5  Connect to the primary node via a console.  Is the device running Junos 10.4 or above? 

  • Yes - Run the command:  root@srx#show system services web-management
    Is the loopback (lo.0) interface configured under the Web management http/https configuration?  Refer to Junos 10.4 SRX Release Notes for “Changes in the Web access behavior”.  

    If it is configured, remove the loopback interface, and try to manage the device again. To remove the loopback interface from under web-management follow the command:  delete system services web-management http interface lo.0   and commit the change.

  • If it is still unmanageable, proceed to Step 6.    

  • No  - Continue to Step 6

step6  Connect to the primary node via a console. Verify configuration of the management interface.

  • Confirm that the desired system services (i.e SSH, TELNET, and/or HTTP) are enabled under host-inbound-traffic in the relevant zone:
  • zones {
    security-zone trust {
    host-inbound-traffic {
    system-services {
    any-service;
    }
    protocols {
    all;
    }
    }
    interfaces {
    reth0.0
    reth0.1;
    }
    }

  • Confirm that the desired system services (i.e. SSH, TELNET, and/or HTTP) are enabled in the system services hierarchy:
  • {primary:node1}[edit]
    root# show system services {
            http;
            ssh;
            telnet;
        }
    


step7  Does ping to the management interface work?


step8  Run the command:

root@SRX>show interfaces terse

         Is the FXP0 interface showing as Up and also providing an IP address?          
  • Yes - Continue to Step 9
  • No - Check the following three sub-steps and follow accordingly.

    1. Verify that the fxp0 is properly configured under the groups hierarchy? You can refer to the configuration example in KB17161 or check the minimal configuration as shown below:

      root@srx# show groups
      node0 {
          interfaces {
              fxp0 {
                  unit 0 {
                      family inet {
                          address 192.168.1.2/24;
                      }
                  }
              }
          }
      }

    2. Confirm that the cable connected to the fxp0 interface is a good one and check for error counters incrementing when you run the following command:

      root@srx> show interfaces fxp0.0 extensive

      If you find errors in this, proceed to Step 14 to open a case with your technical support representative.

    3. If the device is still unmanageable, proceed to Step 9.

step9  Is the IP address of the FXP0 interface and IP address of the management PC in the same subnet?  

  • Yes - Continue to Step 10
  • No  - From the SRX, run the command:  show route <management PC IP>

    If a route does not exist to the management PC's IP, add a route for the management subnet in the inet.0 table with the next-hop as the backup router ip.  
    If the device is still unmanageable, proceed to Step 14.

step10 On the SRX, is there an ARP entry for the management PC on the SRX? Check using the command:  root@SRX>show arp no-resolve | match <ip>

  • Yes - Does the SRX have multiple routes to the management PC?    Check using the command:  show route <PC-ip>
    • Yes - It could be that there are routes to the management through both fxp0 and another other interface. There may be a case of asymmetric routing. Check if the fxp0 and any reth interface ip are in the same subnet. If there are multiple routes, open a case with your technical support representative.
    • No - Continue to Step 11.
  • No - Open a case with your technical support representative. Proceed to Step 14.

step11  Which method are you using to manage the secondary node?


step12  Verify configuration on the backup node. 

Verify the configuration on the backup node for the management interfaces by following Step 6. After that, check the following articles for more information on the configuration guidelines.

KB17161 - Cannot manage SRX via fpx0 in chassis cluster

KB15580 - 'backup-router' command configuration on Chassis Cluster  

             Once the configuration is correct, and if you still cannot manage the node, continue to Step 13.


step13  Is the IP address of the backup FXP0 interface and the IP address of the FXP0 interface of the primary node in the same subnet?

  • Yes - Proceed to Step 14
  • No - Configure fxp0 and backup router in same subnet. Go back to Step 12 and verify configuration.

step14 If the above steps do not resolve this problem, refer to KB20795 - How-to's and troubleshooting articles for managing a Chassis Cluster for additional solutions.  Otherwise, collect the necessary logs from BOTH devices, and open a case with with your technical support representative.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search